|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
本帖最后由 yizhihenanjing 于 2021-9-2 09:47 编辑
# P& w% ~, s- A, F: I* ]4 Y: E, r( V
ubuntu服务器A上,docker容器内 curl https://www.ygdy8.com问题 C6 u! z8 W5 W. _# a8 h
" b2 t: [$ W% [0 r# E1 p6 r
问题:0 w% `1 _/ F' Z0 P
$ V e* l- f% f& R% w4 S% z
root@qyi-58abe6739f7ae:~# curl https://www.ygdy8.com //1.宿主机下正常访问" X4 v5 }4 t* A9 ]5 K- s5 w
<meta http-equiv="refresh" content="1;URL=index.html">
8 h6 Z8 r, _. Uroot@qyi-58abe6739f7ae:~# docker exec -it 1e398e2637b5 bash
3 \8 u9 ?7 j8 M3 Rroot@1e398e2637b5:/app# curl https://www.ygdy8.com //2.容器内报证书签名问题2 T! A2 s" i n/ |
curl: (60) SSL certificate problem: self signed certificate0 I3 S+ I, B3 [
More details here: https://curl.haxx.se/docs/sslcerts.html# z9 I4 c: {, d0 j9 @, y" U7 V; I
...
' v, n% |1 w, m; Croot@1e398e2637b5:/app# curl https://www.baidu.com //3.容器内访问其它https站点正常) D) N. O1 J. s
<!DOCTYPE html><!--STATUS OK--><html>...</html>
! B; v6 _* I$ s) e; I8 I2 q7 C- \root@1e398e2637b5:/app#
9 Z3 v( J2 K3 n6 n+ I T U9 A3 P+ V0 | k* z0 p, I
期望:+ H* M; s0 z( Q7 J" n4 P0 F/ i2 Q
) T# W9 \# @* x
期望容器内 curl https://www.ygdy8.com得到跟宿主机相同的结果9 h; k( N8 t3 q
( B" C! |$ D2 K( _) Y
- f# o; }& e% }! a) I/ T: i( [) v1 i5 X' ^6 f. \9 G+ d
自己尝试过的问题排查:, ^' m4 V' M! ]& I
' G+ q9 h2 N, { o
1,下载证书并指定证书访问,结果提示证书过期。
) u: J4 e) [9 E I+ V
2 U1 E- z' S* c# mroot@1e398e2637b5:/etc/ssl/certs# openssl s_client -showcerts -servername server -connect www.ygdy8.com:443 > ygdy8.pem
0 y1 O- |0 U4 `4 `4 l7 |5 q* ddepth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI u, o D% E8 B$ U: G" j
verify error:num=18:self signed certificate
7 [1 V' u5 [0 everify return:1
9 o. D0 V: f' Qdepth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI) k! ]$ v, H3 R) ^& \
verify error:num=10:certificate has expired, p. j) {8 z$ o ]; @
notAfter=Dec 19 00:00:00 2016 GMT0 k2 ?- |/ |7 l( Z+ G1 {" ]
verify return:1
9 B3 ~' Q+ N0 A- ~depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
. O. j6 ]1 v0 t7 XnotAfter=Dec 19 00:00:00 2016 GMT
% r' b6 _$ c' u+ t \/ Gverify return:1
. S- w. B5 _ s' fquit/ C. g* s0 U/ K" Q
8 f+ P* I, ]- i7 d- ~
root@1e398e2637b5:/etc/ssl/certs# curl --cacert ygdy8.pem https://www.ygdy8.com
0 {- m- I$ [9 y# F% K/ Pcurl: (60) SSL certificate problem: certificate has expired; f! r& f4 k7 A0 H
More details here: https://curl.haxx.se/docs/sslcerts.html# V; z9 R. p- R; d
; O s4 Z. U9 B5 K* C& t
$ }8 k& X4 a* N5 ^1 U. i/ a! t7 m4 |
; v7 \9 q3 j# j' h
2,通信过程,发现宿主机和容器内解析的IP不一致,然后我修改了容器内host,把该域名解析IP指定成了宿主机解析的IP,得到的结果跟上面一样certificate has expired
# S# M; B! B. q ^; j' g, A3 T1 ]5 L5 c% f4 l
% r' A$ z% E/ U2 [, }- r( H7 A a
o" n! c) a- e broot@1e398e2637b5:/app# curl -v https://www.ygdy8.com/ //容器内
2 N& X' H& y; ?* i! ]1 Q* Trying 104.233.229.10...
+ Q, a3 J6 l$ J D; Q: X+ L1 @* TCP_NODELAY set& K' y) \2 G/ g2 b8 K; U. ~; d* w
* Connected to www.ygdy8.com (104.233.229.10) port 443 (#0)
6 |7 p9 a: y$ i, E5 Z! o* ALPN, offering h2
& j& Q# y( f0 A/ g; n* ALPN, offering http/1.1+ D8 S, S+ u. C1 y' V* W
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4: @STRENGTH4 z' _0 K8 n, T" Z" P
* successfully set certificate verify locations:
- S" X( _5 E: T. M$ x" ^. m* CAfile: /etc/ssl/certs/ca-certificates.crt/ K. L$ m) \+ g: X3 T
CApath: /etc/ssl/certs
- p& J1 d/ I3 o* TLSv1.2 (OUT), TLS header, Certificate Status (22):
( c' z# |8 J0 K: P' n8 V- l* TLSv1.2 (OUT), TLS handshake, Client hello (1):
) r( Y( B, P# d( M2 ?7 a& q8 F* TLSv1.0 (IN), TLS handshake, Server hello (2):6 M! R, p1 I7 d( r. N
* TLSv1.0 (IN), TLS handshake, Certificate (11):# S" g* [1 o5 J2 p. {
* TLSv1.0 (OUT), TLS alert, Server hello (2):; A9 S' F% \; G' e5 t
* SSL certificate problem: self signed certificate
% J8 j* V `/ O) }" G0 q! j* Curl_http_done: called premature == 1
2 X3 `( { A& t& S- l A! Q; d, z* stopped the pause stream!
9 V. |9 q. n2 g7 N* O1 h/ y" H* Closing connection 0
* ~1 M: I; L, a" h0 H/ ~% tcurl: (60) SSL certificate problem: self signed certificate
( M* c2 h/ v" F" H U1 B$ o- ?More details here: https://curl.haxx.se/docs/sslcerts.html2 C' j+ ~4 B7 \6 u
5 Y( Q8 K* w1 Y1 [8 Sroot@1e398e2637b5:/app# exit //退出容器
, G7 q9 f( c# J+ `' ^) i! P
" [5 q9 \4 I/ m3 Zroot@qyi-58abe6739f7ae:~# curl -v https://www.ygdy8.com/ //宿主机内9 e% y& N7 `: b2 R9 I
* Trying 156.238.183.80...! P7 E2 }0 C3 H- w1 A
* TCP_NODELAY set
7 i. q! P. T9 l5 g0 t2 d* Connected to www.ygdy8.com (156.238.183.80) port 443 (#0)
9 h% q7 n. N) a7 [9 b& P$ M/ U: l6 @* ALPN, offering h2
7 w9 C! G+ q) ^; O- d* ALPN, offering http/1.1$ k" F+ a/ }8 _! M4 `' R
* successfully set certificate verify locations:! ~( y$ e6 _- A% o& R1 h6 |+ l
* CAfile: /etc/ssl/certs/ca-certificates.crt. |7 A+ W& \) Z
CApath: /etc/ssl/certs
" f7 z& [: T/ y% {" i9 L* TLSv1.3 (OUT), TLS handshake, Client hello (1):
5 o; Z$ }4 `1 r9 f0 U: I9 U; g _* TLSv1.3 (IN), TLS handshake, Server hello (2):
9 V5 _# V* c5 K9 a, f* TLSv1.2 (IN), TLS handshake, Certificate (11):
2 _5 V$ a& D+ O0 d7 P4 {: _+ @* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
& U6 O% A9 w: s2 G" a5 A9 W* TLSv1.2 (IN), TLS handshake, Server finished (14):: y0 X, _8 K9 f
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): C! A" }! \4 v& O+ y
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):8 p7 V& E ?3 z& M/ [ Y$ x7 ]# y$ R
* TLSv1.2 (OUT), TLS handshake, Finished (20):* d7 d4 I" x% I8 D I! X c- m
* TLSv1.2 (IN), TLS handshake, Finished (20):+ t! s8 _ [& ~, i5 D
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256+ w+ D' M; }1 Z! X/ U$ A
* ALPN, server accepted to use http/1.1
% U( k% R& A1 Q0 n. X. F* Server certificate:
0 X4 e( L" K$ o+ a+ n# B* subject: CN=www.ygdy8.com
8 G% O+ u6 Z9 H( z2 `* start date: Nov 3 00:00:00 2019 GMT# f! Q& |# D, |/ N8 L7 I9 x T+ J
* expire date: Nov 2 12:00:00 2020 GMT
! B2 ?* a/ ]# @8 i* subjectAltName: host "www.ygdy8.com" matched cert's "www.ygdy8.com": S: S' k! _5 @- ?) D
* issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA
# |! I a" r) b4 I0 ]* SSL certificate verify ok.; \9 J" f4 E9 q) ^0 l9 f! R9 P: ?' t
> GET / HTTP/1.17 v) o9 G2 h0 E2 ?5 u t; \9 O7 R
> Host: www.ygdy8.com4 U+ h' c4 f, M# a* C, J$ b* O
> User-Agent: curl/7.58.0
) P- F0 g. R! F( _' z! F> Accept: */*
) h/ `- K8 {0 q7 n1 H>% S2 C6 r i0 |7 R
< HTTP/1.1 200 OK
: S7 ?4 L: a( {7 S; ~< Content-Type: text/html
% L- r. x9 p% f< Content-Location: https://www.ygdy8.com/index.htm5 l, D) i- L( r" a' y; m7 n
< Last-Modified: Thu, 21 Nov 2019 13:08:25 GMT
% M/ @1 b1 G# {# D< Accept-Ranges: bytes9 d; y) j! L# c- Q
< ETag: "806afc26ca0d51:802"6 a; M6 o7 B- t+ y
< Server: Microsoft-IIS/6.0
' m; P; G# @5 h. \ x0 s, t< Date: Wed, 04 Dec 2019 06:53:23 GMT, _; \8 u* ]) n2 L) R) \2 h
< X-Via: 1.1 localhost.localdomain (random:402452 Fikker/Webcache/3.7.9)
4 d6 A5 d& {4 C! }- z( C< Content-Length: 56
7 O5 W9 I* u8 e< Connection: close* I2 T$ P( i/ X/ V5 \. i# p
<. M& b9 F2 m9 g
<meta http-equiv="refresh" content="1;URL=index.html"> T$ |& U8 r6 y$ W
* Closing connection 0
9 J" L- j4 h2 B. ]& `1 I: `* TLSv1.2 (OUT), TLS alert, Client hello (1):
3 F. z) e, e! T! Oroot@qyi-58abe6739f7ae:~#7 b( h; U I* s- p
3 e n% [' R+ s4 B
. M3 r- Q: }8 h% p( n- ^/ J% ~; Z& L2 {
3,我在另一台ubuntu服务器B下,pull了同样的镜像,然后启动容器,进入容器内curl却没有任何问题,我怀疑是服务器A的问题,或者说是服务器A的docker网络配置问题。两台机器docker是同样的安装方式,并没有设置过网络相关配置。 |
|
/1 
发表于 2021-9-2 09:46
收藏
淘帖
支持!
反对!